Due Diligence Can Be a Great Antivirus
A common, and perfectly natural question I am often asked (often at the end of the kickoff meeting), is “So if we get in compliance with these requirements, we’re safe, right?”
The answer is no. Not really.
As much as I would like to comfort these clients and tell them it’s all going to be ok, I can’t. I would be doing them a disservice, and opening my company up to unnecessary liability. Adopting, and adhering to compliance standards is merely a good beginning. The threat landscape is always evolving, and the malefactors usually have the advantage of surprise. In response, the client must always be predicting threats, and adapting to them as proactively as possible.
The client should be continually improving its cybersecurity management system and “adapt[ing] its cybersecurity practices based on previous and current cybersecurity activities, including lessons learned and predictive indicators.” (NIST v1.1) Furthermore, cybersecurity must be fully ingrained into the culture of the company. From the top on down, every employee must be not only aware of present known risks, but on the lookout for new or unknown risks. Finally, the client must leverage the vast sources of external cybersecurity information that exists, and have open communication with vendors or other companies in their supply chain to enable the implementation of proactive controls.
It is not nearly enough to hire the best cybersecurity consultants and implement a top of the line cybersecurity management system; the client must constantly be diligent, and evolving. I know this all sounds like a lot of work, but I promise it’s all very manageable.